June 27, 2019
Whenever there are political tensions between the government of a nation and its citizens, distributed denial of service (DDoS) attacks are very often employed as a weapon to suppress the voice of protestors. On the flip side, DDoS attacks carried out by hacktivist groups in support of protestors can also be disruptive for governments and even the whole country.
Politically motivated DDoS attack is nothing new in cyberspace. A study of the patterns of some high-profile attacks in Hong Kong has shown that politically motivated DDoS attacks are strategically timed to disrupt protests and its development. Hitting the right target at the critical moment might even turn unfavorable situation around.
Hong Kong, where million-strong protests were staged in the past few weeks, has become the latest battlefield. Hong Kong is no stranger to DDoS attacks. Back in 2014, polling platform PopVote managed by universal suffrage advocates was hit by a massive 500Gbps DDoS attack before the onset of the “Umbrella Movement”.
While Hong Kong’s news organizations and pro-democracy websites have since become frequent targets, DDoS attacks are now being launched against encrypted messaging apps that protestors rely on to coordinate and communicate with one another. This exemplifies the trend that DDoS attacks are increasingly employed as weapons to achieve very specific political objectives.
On 12 June, Telegram, an encrypted messaging app used by the Hong Kong protest organizers, was reportedly hit by a massive DDoS attack. The clash leading up to this attack occurred between 4-6pm between the police and the protestors.
Within an hour, at a time when communications between the protestors were crucial for coordinating and sharing important information and updates, the attack on Telegram happened. Looking at the timeline of events, there is plenty of speculation about the origin and intent of the attack.
We surmise that the attack was carefully timed to disrupt the real-time communication of protestors on the ground in a bid to disperse them and prevent them from reassembling. This tactical strategy was successful in allowing one side to turn the situation around and gain the upper hand in a single important confrontation while catching the other side off guard.
Another DDoS attack, which we suspect hacktivists were responsible for, was carried out against the website of Hong Kong’s Hospital Authority on the night of June 12, after the police arrested patients suspected of taking part in clashes at hospitals.
To protest the way the Hong Kong Police Force handled demonstrations, Anonymous announced on June 26 that it had obtained and released a list of 628 police officers with their names, mobile phone numbers and addresses.
This is not the first time Anonymous has declared cyber warfare on the Hong Kong Government. If history is a guide, the Hong Kong Police Force data leakage case appears to be a prelude to more cyberattacks that might combine DDoS attacks and other hacking techniques.
In a professional cyberattack, DDoS attacks and hacking tend to go hand in hand, with DDoS attacks employed as a smokescreen to distract security teams. Log records are also messed up during an attack, and as such it is difficult to troubleshoot and identify hacking patterns by tracking logs.
The execution of DDoS attacks is intended to buy time for the hacker in preparation and execution of more complex hacking activities. Preparation time varies from one mission to another, depending on the security level of the target. The objectives could be data/information exfiltration, website defacement, shutting down of critical services, and destruction of important/sensitive information.
Playing an increasingly significant role in cyberattacks, launching DDoS attacks through botnets is faster, more flexible, and is easier to control. Most importantly, their impact is immediately seen and felt, and are also able to disrupt services that could not be hacked otherwise.
